Thread View: gmane.comp.apache.apacheweek
1 messages
1 total messages
Started by Apache Week
Fri, 13 Feb 2004 17:04
Apache Week issue 342
Author: Apache Week
Date: Fri, 13 Feb 2004 17:04
Date: Fri, 13 Feb 2004 17:04
220 lines
11145 bytes
11145 bytes
APACHE WEEK
The essential weekly guide for users of the world's most popular Web server.
Issue 342: 13th February 2004
In this issue
* Under development
* Security Reports
* In the news
* Featured articles
* Apache Week Celebrates Its Eighth Birthday
Under development
Greg Ames has been working on a patch to speed up request
processing when a handler is configured for a specific Location.
Currently in such configurations, the directory tree mapping to the
location is still traversed after a handler has been determined,
which is unnecessary when the handler of the request is already
known to be "virtual" (rather than based in the filesystem). The
performance overhead of this unnecessary directory tree walk can be
significant; discussion of how to eliminate it in continues as the
developers try to determine how this "virtual-ness" should be
decided: whether manually by configuration option, or automatically
by logic in the module itself.
The default hard limit on the number of httpd child processes in
2.0's prefork MPM stood at the already unreasonably high value of
20,000 until recently in the 2.1 tree. Colm MacCarthaigh requested
an increase to 100,000 after hitting the old limit using the newly
released Linux 2.6 kernel on the production servers at the
[1]HEAnet mirror sites in Ireland. Colm notes that allowing this
number of connections to a single machine requires listening on
more than one IP address due to the limit on (16-bit) TCP port
numbers.
Security Reports
Apache-SSL optional client certificate vulnerability
A minor issue [2]has been found which affects the third-party
Apache-SSL module. If a server using Apache-SSL was configured with
SSLVerifyClient set to 1 or 3 (client certificates optional) and
SSLFakeBasicAuth, then Apache-SSL versions 1.3.28+1.52 and prior
would permit a client to use real basic authentication to forge a
client certificate. The Common Vulnerabilities and Exposures
project has assigned the name [3]CAN-2004-0009 to this issue.
Updates are available from [4]apache-ssl.org.
This issue also affected versions of mod_ssl prior to 2.8.0
(released 30th January 2001).
Bugtraq reports of configuration errors
Two new reports have been sent to the bugtraq mailing list claiming
to discover Apache security issues: in fact, both simply reveal
configuration errors which lead to security problems.
The [5]first issue details a configuration where the root directory
has access control is set to Deny from all along with AllowOverride
FileInfo; a request to a location not covered by looser access
control restrictions will hence generate a "403 Forbidden"
response. The reporter claims that because a local user can
configure a custom 403 ErrorDocument response in a .htaccess file,
they can circumvent the access control restrictions imposed on the
root directory. In fact, ErrorDocument is only permitted in the
.htaccess when AllowOverride FileInfo is used: therein lies the
configuration error.
The second report concerns the use of Apache with the Resin
application server: access control to WEB-INF directories
containing JSP source code must be protected using Directory
containers rather than Location as the latter can be bypassed by
URIs which use non-canonical filenames. This report details use of
the ".." filename suffix which is ignored in a Windows filesystem.
These reports emphasise the need for server administrators to
carefully review the documentation for Apache (for instance, the
[6]Security tips section) and also ensure that the configuration is
adapted correctly for the set of modules in use.
In the news
IIS heads off Apache
Over the last couple of a weeks a large number of publications have
been circulating details of a new server survey by software company
Port80. These include eWeek with their story [7]"Survey Says: IIS
Top Choice Among Most Popular Web Sites". Instead of including all
web servers on the Internet like surveys from Netcraft and
SecuritySpace, Port80 instead focus on a selected subset, in this
case from the top 1000 Nielsen NetRatings. Apache comes in a close
second place with just under 40% of the market share in this
survey. This is a great improvement, as a couple of years ago a
similar subset survey from [8]BizNix found only 23% of the Global
500 were running Apache. Meanwhile [9]Smutcraft find a whopping 88%
of porn sites are kept up by Apache. It must be due to those
patches everyone keeps mailing us about.
Featured articles
In this section we highlight some of the articles on the web that
are of interest to Apache users.
Newsforge [10]provide a transcript of the recent IRC session with
Apache developer and ASF board member [11]Ken Coar.
Adam Pedersen squeezes every last drop of performance out of his
Apache servers in [12]"Introducing LAMP Tuning Techniques". He
looks at common configuration tuning, managing Apache RAM usage,
and how PHP and MySQL all have an effect on performance.
Scott Robinson attempts to unravel mod_ssl configuration in his
short article [13]"Web Technologies: Use mod_ssl to configure
Apache keys and certificates".
Apache Week Celebrates Its Eighth Birthday
This issue marks the eighth anniversary of Apache Week. [14]Issue
one was published on 9th February 1996, although it was only
available on the Web until we started an email subscription option
with issue 6.
When issue one was published, Apache version 1.0.0 had been out for
just over a month. The current stable version was 1.0.2. According
to Netcraft, Apache became the most widely used server in the April
1996 survey, reported in [15]issue 9. Today Apache-based servers
are on use on over 60% of the world's Internet sites.
The Apache 1.2 beta cycle started in December 1996 with 1.2b1 and
continued until Apache 1.2 was released in June 1997 ([16]issue
68). The 1.3 beta cycle started in October 1997 ([17]issue 87) and
continued until Apache 1.3.0 was released in June 1998 ([18]issue
118) Whilst 1.3.0 was highly stable on Unix systems, it was much
less developed on Windows.
In August 1998 the Netcraft Server Survey showed for the first time
that Apache was in use on more than half the world's internet
servers, and Ralf Engelschall released the first version of the
popular mod_ssl module. In October the first official Apache
conference, ApacheCon 98, was held in San Fransisco and was a huge
success drawing nearly 500 registrations ([19]issue 134) Three more
Apache conferences have been held since then, with the most recent
[20]in Santa Clara giving attendees a unique opportunity to talk to
the people behind the software.
Towards the end of 1998, Apache was recognised by Microsoft as a
real and credible threat to their business in their leaked memos
([21]issue 137). A few years later this was proven when the Garner
Group suggested all IIS users switch to something more secure, like
Apache.
In July 1999 ([22]issue 165) the Apache Software Foundation was
formed with the aim to provide a legal framework for Apache and
related open-source projects such as the Jakarta and XML projects.
The httpd team worked on Apache 2.0 for a long time, with initial
plans reported in February 1998 ([23]issue 102). In September 1999
([24]issue 173) we published an Apache 2.0 preview and stated that
a beta version should be available in late 1999 or early 2000,
although it was to take until April of 2001 before the first beta
was released, and April of 2002 before general availability.
Even after the release of Apache 2.0, Apache 1.3 continued to
receive updates for [25]security issues as well as bug fixes and
minor feature additions.
Apache Week is a weekly publication, but over the last couple of
years we've missed out a number of issues. We've done this when
there is little or no news as feedback from readers has shown that
this is preferable to us sending out tiny issues with no useful
content. Apache Week will continue to bring you the latest news
about the Apache web server and its development, as it happens.
______________________________________________________________
This issue brought to you by: Mark J Cox, Joe Orton
Comments or criticisms? Please email us at
[26]editors@apacheweek.com.
[27]Apache Week is Copyright 2004 [28]Red Hat, Inc.
References
1. http://www.heanet.ie/
2. http://marc.theaimsgroup.com/?l=bugtraq&m7619127531765
3. http://cve.mitre.org/cgi-bin/cvename.cgi?nameรN-2004-0009
4. http://www.apache-ssl.org/
5. http://marc.theaimsgroup.com/?l=bugtraq&m757762552806&q=raw
6. http://httpd.apache.org/docs-2.0/misc/security_tips.html
7. http://www.eweek.com/article2/0,4149,1518434,00.asp
8. http://www.biznix.org/surveys/
9. http://www.smutcraft.net/
10. http://www.newsforge.com/software/04/02/03/1922236.shtml?tid2&tidย&tidย
11. http://httpd.apache.org/contributors/#coar
12. http://www.onlamp.com/pub/a/onlamp/2004/02/05/lamp_tuning.html
13. http://builder.com.com/5100-6371_14-5147456.html
14. http://www.apacheweek.com/issues/96-02-09
15. http://www.apacheweek.com/issues/96-04-04
16. http://www.apacheweek.com/issues/97-06-06
17. http://www.apacheweek.com/issues/97-10-17
18. http://www.apacheweek.com/issues/98-06-05
19. http://www.apacheweek.com/issues/98-10-16
20. http://www.apacheweek.com/features/apachecon2001
21. http://www.apacheweek.com/issues/98-11-06
22. http://www.apacheweek.com/issues/99-07-02
23. http://www.apacheweek.com/issues/99-02-13
24. http://www.apacheweek.com/issues/99-09-24
25. http://www.apacheweek.com/security
26. mailto:editors@apacheweek.com
27. http://www.apacheweek.com/
28. http://www.redhat.com/
----------------------------------------------------------------------
To unsubscribe visit https://www.redhat.com/mailman/listinfo/apacheweek
or send the message "unsubscribe" to apacheweek-request@redhat.com
----------------------------------------------------------------------
Thread Navigation
This is a paginated view of messages in the thread with full content displayed inline.
Messages are displayed in chronological order, with the original post highlighted in green.
Use pagination controls to navigate through all messages in large threads.
Back to All Threads